<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CFI: wrong type passed to llvm.type.test with multiple inheritance devirtualization"

   href="https://bugs.llvm.org/show_bug.cgi?id=43390">43390</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CFI: wrong type passed to llvm.type.test with multiple inheritance devirtualization

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>C++

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedclangbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dmitry.mikulin@sony.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>blitzrakete@gmail.com, dgregor@apple.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, richard-llvm@metafoo.co.uk

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In the following example, a call to a virtual function through the second base

class pointer fails the nvcall CFI check at run time. Similar call through the

first base class pointer works as expected.

========== x.cpp ==============

#include <iostream>

class A1 {

public:

    virtual void f1() = 0;

};

class A2 {

public:

    virtual void f2() = 0;

};

class B : public A1, public A2 {

public:

    void f2() final { fprintf(stderr, "f2\n"); }

    void f1() final { fprintf(stderr, "f1\n"); }

};

int main() {

    B b;

    // Doesn't raise a CFI error

    static_cast<A1*>(&b)->f1();

    // Raises a CFI error

    static_cast<A2*>(&b)->f2();

}

=============================

# clang++ -flto -fvisibility=hidden  -fsanitize=cfi -fno-sanitize-trap=cfi

-fsanitize-recover=cfi -fuse-ld=lld x.cpp

# ./a.out

f1

x.cpp:26:5: runtime error: control flow integrity check for type 'A2' failed

during non-virtual call (vtable address 0x00000020b780)

0x00000020b780: note: vtable is of type 'B'

 00 00 00 00  40 34 24 00 00 00 00 00  70 34 24 00 00 00 00 00  00 00 00 00 00

00 00 00  48 b7 20 00

              ^ 

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior x.cpp:26:5 in 

f2</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>